forked from containerd/cri
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sandbox: separate host accessing workload and privileged
VM isolated runtimes can support privileged workloads. In this scenario, access to the guest VM is provided instead of the host. Based on this, allow untrusted runtimes to run privileged workloads. If the workload is specifically asking for node PID/IPC/network, etc., then continue to require the trusted runtime. This commit repurposes the hostPrivilegedSandbox utility function to only check for node namespace checking. Fixes: containerd#855 Signed-off-by: Eric Ernst <eric.ernst@intel.com>
- Loading branch information
Eric Ernst
committed
Jul 20, 2018
1 parent
42a98de
commit 98ddc99
Showing
2 changed files
with
12 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters